What I'd like to ask is if anybody knows about an hardware USB-dongle for software protection which offers a very complete out-of-the-box API support for cross-platform Java deployments.

Its SDK should provide a jar (only one, not one different library per OS & bitness) ready to be added to one's project as a library.

The jar should contain all the native stuff for the various OSes and bitnesses

From the application's point of view, one should continue to write (api calls) once and run everywhere, without having to care where the end-user will run the software

The provided jar should itself deal with loading the appropriate native library

Does such a thing exist?

With what I've tried so far, you have different APIs and compiled libraries for win32, linux32, win64, linux64, etc (or you even have to compile stuff yourself on the target machine), but hey, we're doing Java here, we don't know (and don't care) where the program will run!

And we can't expect the end-user to be a software engineer, tweak (and break!) its linux server, link libraries, mess with gcc, litter the filesystem, etc...

In general, Java support (in a transparent cross-platform fashion) is quite bad with the dongle SDKs I've evaluated so far (e.g. KeyLok and SecuTech's UniKey).
I even purchased (no free evaluation kit available) SecureMetric SDKs&dongles (they should've been "soooo" straighforward to integrate -- according to marketing material :\ ) and they were the worst ever: SecureDongle X has no 64bit support and SecureDongle SD is not cross-platform at all.

So, has anyone out there been through this and found the ultimate Java security usb dongle for cross-platform deployments?

Note: software is low-volume, high-value; application is off-line (intranet with no internet access), so no online-activation alternatives and the like.

-- EDIT

Tried out HASP dongles (used to be called "Aladdin"), and added them to the no-no list: here, too, there is no out-of-the-box (out-of-the-jar) support: e.g. end-linux-user has to manually put the .so library (the specific file for the appropriate bitness) in the right place on his filesystem, and export an env. variable accordingly.

-- EDIT 2

I really don't understand all the negativity and all the downvoting: is this a taboo topic? Is it so hard to understand that a freelance developer has to put food on the table everyday to feed its family and pay the bills at the end of the month?

Please don't talk about "adding value" as a supplier, because that'd be off-topic. Furthermore I'm not in direct contact with end-customers, but there's an intermediate reselling entity: it's this entity I want to prevent selling copies of the software without sharing the revenue.

-- EDIT 3

I'd like to emphasize the fact that the question is looking for a technical answer, not one about opinions concerning business models, philosophical lucubrations on the concept of value, resellers' reliability, etc.

I cannot change resellers, because this isn't a "general purpose" kind of sw, but a very vertical one and (for some reasons it's not worth explaining here) I must go through them. I just need to prevent the "we sold 2 copies, here's your share [bwahaha we sold 10]" scenario.

This question appears to be off-topic. The users who voted to close gave this specific reason:

"Questions asking us to recommend a tool, library or favorite off-site resource are off-topic for Programmers as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it." – gnat, Bart van Ingen Schenau, Dan Pichelman, MichaelT, GlenH7

You may want to consider your reseller's capabilities. Your reseller has a strong financial incentive to break your security (if you can't enforce it by legal means), and may well hire somebody to break it. A level of protection that will stop the casual user may be inadequate here.
–
David ThornleyJan 30 '12 at 18:14

3

Dongles are like video game copy protection. All they do is make the honest people who want to pay you miserable. Who even has physical servers anymore that you can plug one into? I spend $50,000 on redundant VM clusters for HA but have single points of failure cause some library needs a physical computer with a dongle in it? no thanks.
–
AffeFeb 5 '12 at 10:00

1

Pure java is easy to circumvent. Just write an agent to do the byte code manipulation you want. You will need to have critical business logic in native code to get above what any capable Java programmer can easily circumvent.
–
user1249Feb 5 '12 at 14:39

2

(additionally the "need native lib" may be easily solvable by launching using Java WebStart)
–
user1249Feb 5 '12 at 14:52

There is no effective offline software protection for Java code. jad and 30 minutes of a decent Java coder is all what's needed to rip the "is dongle present" part of your code. Which means if you spend more than a few seconds of development time implementing it, it's probably not worth it.

There could exist hardware devices which can be used to run vital parts of your code (i.e. significant application logic) which cannot be ripped out without damaging functionality, though). Or you could even provide your system as a complete trusted system (i.e. delivering it as a tamper-proof box with TPM or something like that).

However, you seem to have a "human" problem, not a technical one.

Programmers do have to live with piracy. If you can't trust your resellers, find others. If you have to go through them, you need to evaluate the equilibrium; you are providing value to them and if they screw up with you, you can leave and screw them back. If the equilibrium works too much against you, I'm sorry but you picked the wrong area to do business with and, with or without piracy, they can screw you because a) they can + b) they are not trustworthy; it doesn't matter if its stealing your app, not paying you or whatever; trust is essential to business and if you don't have that, it's a lost battle that won't be won using technical means.

It's ok if someone cracks its way into the hardware protection mechanism: what I need is to prevent a simple "install it on multiple places" or "pass it on to colleagues" done by non computer-literate users. As I stated in my question, it's a small volume deployment for a very specific field, so nobody would bother taking any active effort in cracking the licence. It is, however, a high-value software, so it does make a big difference to me as a freelance programmer.
–
Unai ViviJan 23 '12 at 20:46

1

Have you considered a potential solution besides the security dongle? It seems you may be looking for a magic bullet when you do not really need one. If you are willing to use something that can easily be hacked what is the point of doing it with a dongle?
–
ChadJan 23 '12 at 21:40

A hardware-based dongle is not necessarily easily hacked: there are dongles for which hacking contests have been made and no winner has cracked the mechanism yet. Point is I need "some sort" of copy-prevention mechanism and I can't use online activation (since application is off the grid): a hardware dongle is the only effective solution I can think of... I just need to find out if somewhere, sometime and somehow, some company has ever done that with Java in mind
–
Unai ViviJan 23 '12 at 22:06

1

Or install the software yourself; you can insert a key in the registry or create a hidden file, or something similar. Not "trivial" to reproduce.
–
alexJan 24 '12 at 20:17

2

@alex - there are dongles which contain (encrypted) some of the executable code and extract and load it at runtime. Not completely secure but a lot harder to get around than simply removing the if_dongle_present() calls
–
Martin BeckettJan 30 '12 at 16:53

There is no technical solution, this is not a technical problem, you are dealing with people you don't trust and they have a financial incentive to cheat you, this is a 100% people problem!

You talk about high value software, high value to WHO, your company or your customers. If it is your company it is just EXPENSIVE software.

If it is really high value to your customers you don't have anything to worry about they won't mind paying for the software.

Focus on high value for the customer.

Effort to create something doesn't mean it is valuable to a customer. It just means it was expensive to create.

If you are worrying about vertical market customers pirating your software you just aren't charging enough. Adobe charges more for Photoshop than the laptops it runs on. They do that because they are adding in the lost revenue from pirates. You just need to charge more if you are the only player in the space.

EXAMPLE : As a consumer diamonds have no value to me, regardless of how much it costs to produce them they will never be of any value to me.

EXAMPLE : iPods and iPhones are not valued by the consumer because of the effort to create them, they are valued because of what they do for the customer. That is why Apple can charge what some people consider a premium price for their product, it is valuable to the consumer.

If you software really is so valuable ( and I doubt it ), someone is going to have a financial incentive to cheat, they will find a way. Figure out what your piracy ratio is and charge enough for the first licence to pay for the ratio. Problem solved.

Your solution is to charge enough so that as your example, they report 2 sales and actually install 10, you still make the same amount of profit. Plain and simple.

+1 Fully agreed. If it is low-scale, high-value software, focus on keeping the customers happy and willing to pay for it, and assume there will be some degree of copying. You can even factor that into the final price.
–
Andres F.Jan 30 '12 at 17:17

@Jarrdod It doesn't work that way where I'm from. Not at all. High value means that the manpower fixed-costs needed to create the software are not divided among many customers, making it a "niche" application. Here if someone can get his hands on free (read "pirated") stuff, they will. No matter of how high the value or quality or how vital it is for their company. You can focus on high value for the customer if you have that customer in the first place. You can't, if that customer got the software for half the price from a malicious reseller not sharing revenue with you.
–
Unai ViviJan 30 '12 at 17:25

@AndresF. There is nothing I can do to keep the customer happier. The software does its work nicely and that's it. I could add a "need" for technical support, but that'd be unethical and not necessary: it's an easy to use software that does very specific things in a nice and efficient way, allowing the customer to cut costs.
–
Unai ViviJan 30 '12 at 17:35

1

@UnaiVivi you miss my point entirely, what you call high value isn't correct. You are placing a value on something based on effort to create it, that isn't the same thing as value. You can spend 100s of man hours and tens of thousands of dollars producing low value software. Effort != value.
–
Jarrod RobersonJan 31 '12 at 2:20

Interesting. Notwithstanding, all this does not have anything to do with my question.
–
Unai ViviFeb 5 '12 at 10:45

Are all the installed copies for a certain client located on a single local network? If they are, you could use a peer-to-peer protection scheme where packets are broadcast over the LAN and the installed clients cooperate to ensure license compliance (like what JetBrains uses). This doesn't require a connection to the internet, it allows license pooling among computers, and can be implemented in pure Java, thus being platform independent.

The protection is needed for the server side of a client-server infrastructure, so any customer site only needs to run one copy of the server softare. Nevertheless, +1 for your nice and relevant answer
–
Unai ViviJan 31 '12 at 14:13

His answer is still technically valid if they don't "split" their network. Broadcast and if another copy answers, shut down.
–
alexFeb 4 '12 at 11:41

@alex I mean that for the same customer it makes no difference having 1 or 10 instances running (they just need one). What I need to prevent isn't customers running more instances than licensed (I don't care about that), but unlicensed companies running an instance.
–
Unai ViviFeb 5 '12 at 10:14

Implement some type of copy protection scheme and put everything on a USB key. Difficult, but doable. Be sure to use a really good obfuscation program on the class files before packing them into the jar.

If the program is on machines that can "see" the internet, have the program "phone home". Be sure to inform prospective purchasers that this will be necessary to run the program.

I would suggest looking into how the most successful games are being run. Typical examples are Blizzards various *Craft games, and Valvs Steam.

Require an internet connection and a valid set of user credentials.

Each user can only be logged in one computer.

The program must get a small chunk of code from the server required to run. Said code must change on a regular basis and be hard to guess. An example could be a key for communicating with the online cloud.

Do regular updates of the code base, so a crack is only valid for a short period of time.

All these points take time and money. You should consider how much effort you want to spend on protection to do it properly and ensure that adequate funding is present.

This answer is not helpful. The OP clearly states that 'application is off-line (intranet with no internet access), so no online-activation alternatives and the like.'. There are many applications in the world that do not and will never have internet access.
–
Jim In TexasApr 5 '12 at 8:31